Hello everyone,

I need to create a rails app where authentication and permissions for
certain application actions will be provided by LDAP server. There is
a problem with LDAP connection management, as every user login will
spawn new connection object instance it may dangerously increase
application memory usage (tbh i dont know what will happen, nothing
good for sure) - LDAP server can close connection remotly after some
idle time, but some connection resources will remain in memory non the
less.
I've made some google research what may be best course of action to
manage this issue and i think creating connection pool sounds good.
I've commited few average sized rails projects but nothing i've
experienced so far is giving me any clues how to implement this
solution.

I'll be happy to hear how You would do it.

Marcin,

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Search Discussions

  • Craig White at Mar 6, 2012 at 8:57 pm

    On Mar 6, 2012, at 12:54 PM, Marcin S wrote:

    Hello everyone,

    I need to create a rails app where authentication and permissions for
    certain application actions will be provided by LDAP server. There is
    a problem with LDAP connection management, as every user login will
    spawn new connection object instance it may dangerously increase
    application memory usage (tbh i dont know what will happen, nothing
    good for sure) - LDAP server can close connection remotly after some
    idle time, but some connection resources will remain in memory non the
    less.
    I've made some google research what may be best course of action to
    manage this issue and i think creating connection pool sounds good.
    I've commited few average sized rails projects but nothing i've
    experienced so far is giving me any clues how to implement this
    solution.

    I'll be happy to hear how You would do it.
    ----
    No - only 1 connection to LDAP server using a special account for the purpose with sufficient privileges for the task.

    It's easy enough to create 'local' users who authenticate via LDAP and then you can manage their privileges/permissions via Rights/Roles if you want.

    simple ruby app using net-ldap

    #!/usr/local/bin/ruby
    #
    require 'rubygems'
    require 'net/ldap'

    $person = "cwhite"
    $passwd = "won't_work"

    ldap = Net::LDAP.new :encryption => :simple_tls,
    :host => 'ldap.server',
    :port => 636, # use 389 for non-ssl
    :auth => {
    :method => :simple,
    :username => "uid=" + $person + ", ou=people, dc=example, dc=com",
    :password => $passwd
    }

    if ldap.bind
    p "LDAP authentication succeeded"
    else
    p "LDAP authentication failed"
    end

    Should give you enough of a concept for implementing in Rails

    Craig

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Marcin S at Mar 7, 2012 at 6:11 am
    2012/3/6 Craig White <craig.white@ttiltd.com>:
    On Mar 6, 2012, at 12:54 PM, Marcin S wrote:

    Hello everyone,

    I need to create a rails app where authentication and permissions for
    certain application actions will be provided by LDAP server. There is
    a problem with LDAP connection management, as every user login will
    spawn new connection object instance it may dangerously increase
    application memory usage (tbh i dont know what will happen, nothing
    good for sure) - LDAP server can close connection remotly after some
    idle time, but some connection resources will remain in memory non the
    less.
    I've made some google research what may be best course of action to
    manage this issue and i think creating connection pool sounds good.
    I've commited few average sized rails projects but nothing i've
    experienced so far is giving me any clues how to implement this
    solution.

    I'll be happy to hear how You would do it.
    ----
    No - only 1 connection to LDAP server using a special account for the purpose with sufficient privileges for the task.

    It's easy enough to create 'local' users who authenticate via LDAP and then you can manage their privileges/permissions via Rights/Roles if you want.

    simple ruby app using net-ldap

    #!/usr/local/bin/ruby
    #
    require 'rubygems'
    require 'net/ldap'

    $person = "cwhite"
    $passwd = "won't_work"

    ldap = Net::LDAP.new :encryption => :simple_tls,
    :host => 'ldap.server',
    :port => 636, # use 389 for non-ssl
    :auth => {
    :method   => :simple,
    :username => "uid=" + $person + ", ou=people, dc=example, dc=com",
    :password => $passwd
    }

    if ldap.bind
    p "LDAP authentication succeeded"
    else
    p "LDAP authentication failed"
    end

    Should give you enough of a concept for implementing in Rails

    Craig
    Yeah i have login covered already, in simmilar way, but what with
    application permissions?
    I can read it at login time, save it somewhere and never user LDAP
    again until next login - but when i give that user a cookie, and then
    authenticate him with it any permissions changes on ldap wont have any
    effect (untile next login)
    How would You solve that?

    Marcin

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Craig White at Mar 7, 2012 at 7:07 pm

    On Mar 6, 2012, at 11:10 PM, Marcin S wrote:

    2012/3/6 Craig White <craig.white@ttiltd.com>:
    On Mar 6, 2012, at 12:54 PM, Marcin S wrote:

    Hello everyone,

    I need to create a rails app where authentication and permissions for
    certain application actions will be provided by LDAP server. There is
    a problem with LDAP connection management, as every user login will
    spawn new connection object instance it may dangerously increase
    application memory usage (tbh i dont know what will happen, nothing
    good for sure) - LDAP server can close connection remotly after some
    idle time, but some connection resources will remain in memory non the
    less.
    I've made some google research what may be best course of action to
    manage this issue and i think creating connection pool sounds good.
    I've commited few average sized rails projects but nothing i've
    experienced so far is giving me any clues how to implement this
    solution.

    I'll be happy to hear how You would do it.
    ----
    No - only 1 connection to LDAP server using a special account for the purpose with sufficient privileges for the task.

    It's easy enough to create 'local' users who authenticate via LDAP and then you can manage their privileges/permissions via Rights/Roles if you want.

    simple ruby app using net-ldap

    #!/usr/local/bin/ruby
    #
    require 'rubygems'
    require 'net/ldap'

    $person = "cwhite"
    $passwd = "won't_work"

    ldap = Net::LDAP.new :encryption => :simple_tls,
    :host => 'ldap.server',
    :port => 636, # use 389 for non-ssl
    :auth => {
    :method => :simple,
    :username => "uid=" + $person + ", ou=people, dc=example, dc=com",
    :password => $passwd
    }

    if ldap.bind
    p "LDAP authentication succeeded"
    else
    p "LDAP authentication failed"
    end

    Should give you enough of a concept for implementing in Rails

    Craig
    Yeah i have login covered already, in simmilar way, but what with
    application permissions?
    I can read it at login time, save it somewhere and never user LDAP
    again until next login - but when i give that user a cookie, and then
    authenticate him with it any permissions changes on ldap wont have any
    effect (untile next login)
    How would You solve that?
    ----
    as best as I understand your question, this is what I do.

    I have an SQL User class which shares the 'name' with the uid of the LDAP user and the user_id and the user_name are inserted into session variables which tie it together.

    Then I have all the controllers & methods of my application subject to Right/Roles permissions model so those can be changed at will since a 'before_filter' requires that a particular user has permissions to access. Thus while LDAP does authentication (user/password), I use my own hand rolled authorization scheme to allow/deny access to any/all methods & controllers. I don't store any Rails permissions on LDAP whatsoever.

    Craig

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouprubyonrails-talk @
categoriesrubyonrails
postedMar 6, '12 at 7:54p
activeMar 7, '12 at 7:07p
posts4
users2
websiterubyonrails.org
irc#RubyOnRails

2 users in discussion

Marcin S: 2 posts Craig White: 2 posts

People

Translate

site design / logo © 2021 Grokbase